It probably won't surprise anyone that attackers can take over your computer if they have physical access to it for even a moment. But what do we mean by "physical access"? It doesn't always have to be an unlocked computer forgotten in the office.
In this article, we’ll look at what such an attack might look like and what devices are used to carry it out. These are relatively fast attacks, where attackers do not need to dismantle the hardware, but use the available ports and often exploit the weakest link in the company’s security – their employees. In most cases, they just need to connect a simple device.
It should be mentioned that an attacker breaks the law by unauthorized access to a computer system without the owner’s permission, for which he can face up to eight years in prison. However, similar procedures can also be used in penetration tests that we perform at Axians.
A simple flash drive
An attacker can easily access data from a computer’s hard drive using a USB flash drive with the operating system in it, as long as the drive’s encryption is not turned on. Some live Linux distributions such as Ubuntu or Kali, a flash drive with Windows installation files, or a DVD drive can be used for the attack. Once the operating system has started, the attacker gains access to all files on the local disk. He can even extract user password hashes from registry files and often find out the passwords. He is also able to modify files on the disk or add a new local administrator to the compromised computer’s system.
Another type of attack does not even require the attacker to be present on the compromised computer. The attack consists of leaving the USB flash drive in a location where a suitable victim can find it, such as a copier. This attack relies on the curiosity of the victim, who connects the drive to the computer and then opens a file with a tempting name such as “executives rewards”. This (depending on the type of file opened) causes the malicious action to be performed. For example, sending information to the attackers server or establishing a connection to remotely control the computer.
Looks like an ordinary USB flash drive, but when plugged in, the computer identifies it as a keyboard. This virtual keyboard spews out a programmed sequence of characters very quickly. Typically, it “presses” the WIN+r keyboard shortcut and uses powershell to download and run a script or program that allows remote control of the computer. An example of such an “evil flash drive” is Rubber Ducky, or various devices and developer boards from Chinese e-shops.
To carry out the attack, all you have to do is walk away from the computer and not lock the screen. The attacker just plugs the device into a USB port and in a few seconds can remotely control the computer or, as in the previous case, plant the “flash drive” so that the victim finds it and plugs it into the computer. In this way, the attack will also take place automatically once connected.
The defence is simple. If a potential attacker (including sneaky colleagues) can get to your computer, lock your screen whenever you leave and do not connect suspicious devices to your computer.
Small computer to USB
Attackers can also plug a small computer into a USB port that is only slightly larger than a regular “flash drive”. However, it can identify as a keyboard, a USB drive, a network card, or even everything at the same time. In this way, the aforementioned virtual keyboard attack can be streamlined, as there is no need to download additional scripts or programs from the Internet that can be accessed directly from the connected device. Similarly, the information obtained does not need to be sent to the attacker over the network, but can be stored directly. If the device is connected in network card mode, the password hash of the logged-in user can be obtained using the responder tool.
An example of the aforementioned device is the Bash Bunny, or Raspberry Pi Zero, which supports various OTG modes, where it can act as a keyboard, mouse or other device connected to a USB port.
A USB keylogger is a small but even more malicious device with two USB ports that a keyboard plugs into. The device then records all keystrokes, including various login credentials. These can then be displayed to the attacker after writing the secret code. More advanced models can be connected remotely via wi-fi. The keylogger can also take the form of a USB extension cable or be hidden in the keyboard, where it is almost undetectable by normal inspection.
Protection against hardware keyloggers is quite complex. It is a good idea for users to be vigilant and report if they see any unknown devices in their computer port.
Eavesdropping on network communications
If we leave the USB port and focus on the LAN (RJ45) port, it is possible to eavesdrop on the communication of the computer. For passive eavesdropping of unencrypted communication, it is sufficient to connect the computer via a switch with port mirroring function. If an attacker wants to try to manipulate the communication and perform some man-in-the-middle attacks or to overcome the network security via the 802.1x protocol (older version 2001), he can connect a laptop equipped with two network cards in the way. He can also use a small computer equipped with two network ports that can be left hidden in place for extended periods of time.
How to prevent these attacks?
- Be vigilant and careful. It may sound like a cliché, but the truth is that a large proportion of attacks via connected hardware are due to employee curiosity. Remember, an attacker never sleeps and it’s not a good idea to connect to a flash drive found by the copier.
- Always lock the computer. Just like you don’t leave the front door open when you leave the house.
- Be observant. Report any unknown devices or cables that mysteriously appear plugged into your computer to someone in your company’s IT department.
These devices are also used in penetration tests to verify endpoint security or social engineering tests. If you’re interested in the topic, read more about penetration testing in one of our articles . Or take the first step towards better security for your organization and contact us. Our cybersecurity specialists can help you discover vulnerabilities in your infrastructure security beforehand.